Analysis
-
max time kernel
70s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
02-02-2023 10:51
General
-
Target
HEUR-Trojan.Win32.Generic-7fe5834f29daabc2f00.exe
-
Size
1.5MB
-
MD5
c532d809990659da1bc427ad039a7d5c
-
SHA1
6158717c914aea611074a14fd0527663e95ccb64
-
SHA256
7fe5834f29daabc2f0034eff990a5dcadccdbbad7a6428eea416322020f2afef
-
SHA512
b70d7d8f646d5bb1bb1a7bbd787c16647448d00291ed231b79e2193237d3ac1d00d584873cadccfea1a7494648a1c9050a056f42ce8d434a8b5318d4f2371d63
-
SSDEEP
12288:CC6105US81giZG7/N8vzvD//dH1P2TZeQmrD0:TUS813T
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 10 IoCs
-
DCRat payload 5 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 20 IoCs
-
Drops file in System32 directory 8 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-7fe5834f29daabc2f00.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-7fe5834f29daabc2f00.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinNetCache\WinNetCache.exe"C:\Users\Admin\AppData\Roaming\WinNetCache\WinNetCache.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Cortana.Internal.Search\SearchApp.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\tetheringclient\lsass.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Packages\sppsvc.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\ncuprov\RuntimeBroker.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\tsf3gip\fontdrvhost.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\advpack\fontdrvhost.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5vOLwwPJF.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 5 localhost4⤵
- Runs ping.exe
-
C:\Windows\System32\ncuprov\RuntimeBroker.exe"C:\Windows\System32\ncuprov\RuntimeBroker.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\R5vOLwwPJF.batFilesize
211B
MD5c526ed88110620c685ff826c573bf5c8
SHA11d24a49cf5889567c05f169d262fc280b3b9faeb
SHA256c9b955d766672713356c054c9cd69ee9ac404a49b2f37aea20896d78a2653948
SHA5123623339410a33128a9ff1bcd1f697d59e79a4e7f181aae5dba55c4c8798fe34ce88a06c923e7256e999a3d9da0c97e111d563a6240ef115ffd2ded8f0c050414
-
C:\Users\Admin\AppData\Roaming\WinNetCache\WinNetCache.exeFilesize
579KB
MD5a5bb468e6bb248387e71ff2692106d47
SHA1c673a5f6bee9ad99068a43455fac19cb4ffb948b
SHA2565caa9414d268c408b9a82f4442a87efa2f7f4058d44de616a17da6c5ab113bc3
SHA512fd8bdbb071ab7191ade1b19af740ceefd3743effa69c265a51bd98508aa62b73217e6fc99f19b09bd75d5403d71370a73575dd7fad3a9d1c679d0a1d7f3e743e
-
C:\Users\Admin\AppData\Roaming\WinNetCache\WinNetCache.exeFilesize
579KB
MD5a5bb468e6bb248387e71ff2692106d47
SHA1c673a5f6bee9ad99068a43455fac19cb4ffb948b
SHA2565caa9414d268c408b9a82f4442a87efa2f7f4058d44de616a17da6c5ab113bc3
SHA512fd8bdbb071ab7191ade1b19af740ceefd3743effa69c265a51bd98508aa62b73217e6fc99f19b09bd75d5403d71370a73575dd7fad3a9d1c679d0a1d7f3e743e
-
C:\Windows\System32\ncuprov\RuntimeBroker.exeFilesize
579KB
MD5a5bb468e6bb248387e71ff2692106d47
SHA1c673a5f6bee9ad99068a43455fac19cb4ffb948b
SHA2565caa9414d268c408b9a82f4442a87efa2f7f4058d44de616a17da6c5ab113bc3
SHA512fd8bdbb071ab7191ade1b19af740ceefd3743effa69c265a51bd98508aa62b73217e6fc99f19b09bd75d5403d71370a73575dd7fad3a9d1c679d0a1d7f3e743e
-
C:\Windows\System32\ncuprov\RuntimeBroker.exeFilesize
579KB
MD5a5bb468e6bb248387e71ff2692106d47
SHA1c673a5f6bee9ad99068a43455fac19cb4ffb948b
SHA2565caa9414d268c408b9a82f4442a87efa2f7f4058d44de616a17da6c5ab113bc3
SHA512fd8bdbb071ab7191ade1b19af740ceefd3743effa69c265a51bd98508aa62b73217e6fc99f19b09bd75d5403d71370a73575dd7fad3a9d1c679d0a1d7f3e743e
-
memory/556-142-0x0000000000000000-mapping.dmp
-
memory/688-146-0x0000000000000000-mapping.dmp
-
memory/1400-140-0x0000000000000000-mapping.dmp
-
memory/1848-152-0x0000000000000000-mapping.dmp
-
memory/2304-154-0x0000000000000000-mapping.dmp
-
memory/2372-147-0x0000000000000000-mapping.dmp
-
memory/2744-141-0x0000000000000000-mapping.dmp
-
memory/2776-145-0x0000000000000000-mapping.dmp
-
memory/3200-144-0x0000000000000000-mapping.dmp
-
memory/3468-148-0x0000000000000000-mapping.dmp
-
memory/3564-153-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmpFilesize
10.8MB
-
memory/3564-134-0x0000000000000000-mapping.dmp
-
memory/3564-138-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmpFilesize
10.8MB
-
memory/3564-137-0x0000000000490000-0x0000000000528000-memory.dmpFilesize
608KB
-
memory/4028-143-0x0000000000000000-mapping.dmp
-
memory/4532-149-0x0000000000000000-mapping.dmp
-
memory/4568-155-0x0000000000000000-mapping.dmp
-
memory/4568-158-0x00007FF8A99F0000-0x00007FF8AA4B1000-memory.dmpFilesize
10.8MB
-
memory/4568-159-0x00007FF8A99F0000-0x00007FF8AA4B1000-memory.dmpFilesize
10.8MB
-
memory/4748-150-0x0000000000000000-mapping.dmp
-
memory/4876-132-0x0000000000CD0000-0x0000000000E5A000-memory.dmpFilesize
1.5MB
-
memory/4876-139-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmpFilesize
10.8MB
-
memory/4876-133-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmpFilesize
10.8MB